IETF Logo Mail Archive

Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03

Alan DeKok <aland@deployingradius.com> Wed, 30 June 2021 13:38 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2227C3A1CEC for <emu@ietfa.amsl.com>; Wed, 30 Jun 2021 06:38:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IgztYS6guL1T for <emu@ietfa.amsl.com>; Wed, 30 Jun 2021 06:38:11 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68FF83A1CE7 for <emu@ietf.org>; Wed, 30 Jun 2021 06:38:11 -0700 (PDT)
Received: from [192.168.46.129] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id EDC95216; Wed, 30 Jun 2021 13:38:08 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <26359.1625006432@localhost>
Date: Wed, 30 Jun 2021 09:38:07 -0400
Cc: EMU WG <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <BFA8E5C4-D368-41BF-AFA9-BAA35B666F8A@deployingradius.com>
References: <DB6D339A-710C-4EC4-9F8E-4B8602632AE1@deployingradius.com> <CABXxEz8EBUz_y1FmQTE9C8cpF+3vqy-mPCx8CnyUMZ72pNifAA@mail.gmail.com> <SJ0PR00MB1038767373E0DE9E3D7BE0DA95039@SJ0PR00MB1038.namprd00.prod.outlook.com> <C7DBE2EB-82BF-4229-B0AF-4BA48B2D45BC@deployingradius.com> <7332.1624927848@localhost> <4F79B7DB-7E55-4564-88AE-C6E2AF8FD293@deployingradius.com> <26359.1625006432@localhost>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/F2dw321uRl5qydu8sKxchWJZyIY>
Subject: Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2021 13:38:17 -0000

On Jun 29, 2021, at 6:40 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> I think that today, the answer is probably too bad because too complex.

  Yes.

> But, I think that most phones can do "Enterprise" WPA, and so a certificate
> can be loaded in to do EAP-TLS.

  ... somehow.  :(  Phone vendors are making this more difficult as time progresses.  I've heard from MDM vendors who are largely giving up, as the APIs, limitations, and capabilities keep changing.

  Which is why I'm trying to find something which is useful, and which doesn't require massive new infrastructure.

  If the answer is "use TPM", then that doesn't meet peoples existing needs.  It will also take many years for it to become standardized, much less ubiquitous.  As an example, here's an EAP / TPM paper from 2010:

https://www.semanticscholar.org/paper/EAP-TPM-%3A-A-New-Authentication-Protocol-for-IEEE-.-Latze/6d755cf4d1ac1da25c8d02a2e5cba56212149d69

  So we've had this capability for a decade.  But no one has found time / interest in moving forward with it.  This makes me think that TPM is not really the best choice here.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email